Metasploit 4.5 has been out for a few days, so it's high time for an update. Let's hop to it!
1000th Exploit: Freefloat FTP WMI
I often hear the question, "How do I get started on writing exploits?" Well, I'd like to point you to Metasploit's 1000th exploit (future Hacker Jeopardy contestants, take note): On December 7, 2012, Wei "sinn3r" Chen and Juan Vazquez committed FreeFloat FTP Server Arbitrary File Upload. Now, as far as I can tell, FreeFloat FTP server exists almost wholly as a target for exploit writers -- just start typing "Freefloat FTP" in your favorite search engine, and you'll see what I mean. If you take a moment to read this module, you'll notice that this exploit is actually just exercising the default functionality of FreeFloat FTP Server -- the user login is optional, the default location for PUT is C:\, and the de-facto anonymous user can just write anywhere.
So, you'll notice that there's no fancy memory corruption, DEP bypassing, ROP chaining, or anything like that. If history is any guide, such vulns exist in this software, so if you are a newbie exploit dev, take a look.
More Security Targets
Peter "Mudge" Zatko had a great slide as part of his DARPA fast-track talk which illustrates the lines of code in security software versus lines of exploit code -- and your average enterprise security solution clocks in at about 10 million lines of code. Metasploit is, of course, no exception to this rule -- we've got plenty of attack surface. So, in addition to the OpenVAS scanning we shipped in November, the 4.5 update also includes scanners for Nessus, Nexpose, and (gasp!) Metasploit. These are all provided courtesy of community contributor Vlatko @K0st Kosturjak, who apparently has it in for security software. If we're not covering your favorite vulnerability management solution, bug K0st and give him access to your infrastructure, and I'm sure he'll hook you up. While these modules aren't technically part of this week's update -- they were slipped into 4.5, and I just wanted to be sure that you all were aware of these new scanning and bruteforcing capabilities.
New Release Engineer
Hey, speaking of the Metasploit 4.5, I also wanted to take a second to call out another secret new component -- our new release engineer, Brandon @blt04 Turner. This guy is maniacal about release quality, and was hired just before this quarterly release in a true trial-by-fire fashion. Brandon is amazingly capable with a deep background in both Ruby and Git, and is already an integral part of the core Metasploit team,. So, welcome to Brandon, and thanks for taking up the huge responsibility of getting our releases and updates out the door!
This week's haul of new modules is listed below -- for details, check out Metasploit's Exploit Database.
- PostgreSQL for Linux Payload Execution by egyp7, todb, and midnitesnake
- Splunk 5.0 Custom App Remote Code Execution by sinn3r, juan vazquez, and marcwickenden
- Nagios XI Network Monitor Graph Explorer Component Command Injection by sinn3r and Daniel Compton exploits OSVDB-83552
- Maxthon3 about:history XCS Trusted Zone Code Execution by sinn3r, juan vazquez, and Roberto Suggi Liverani
- FreeFloat FTP Server Arbitrary File Upload by sinn3r and juan vazquez exploits OSVDB-88303
- HP Data Protector DtbClsLogin Buffer Overflow by juan vazquez and AbdulAziz Hariri exploits ZDI-10-174
- IBM System Director Agent DLL Injection by juan vazquez, Bernhard Mueller, and kingcope exploits CVE-2009-0880/
- Symantec Messaging Gateway 9.5 Log File Download Vulnerability by sinn3r and Ben Williams exploits CVE-2012-4347
- Steam client session Collector. by Nikolai Rusakov
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.